Filter out private IP destinations
NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") ...
Read post
Performance Difference Between dedup and stats
From Duckfez I'm going to say there likely won't be a huge material difference in any of these yes, leading wildcards usually matter as they force the reading of the lexicon of each tsidx file from beginning to end. But, for index it is a special case because all active index names are already known, in memory, and a set around O(1000) the second one - the one with stats - does not actually need the fields because stats knows which fields it needs, and because of "smart mode" will only ext...
Read post
Index config check
| rest splunk_server_group=dmc_group_indexer /servicesNS/-/-/data/indexes | fields splunk_server title repFactor homePath homePath_expanded coldPath coldPath_expanded thawedPath thawedPath_expanded summaryHomePath_expanded tstatsHomePath tstatsHomePath_expanded | eval Index = title, hot = mvappend(homePath, homePath_expanded), cold = mvappend(coldPath, coldPath_expanded), thawed = mvappend(thawedPath, thawedPath_expanded), summaries = summaryHomePath_expanded, dma = mvappend(tstatsHomePath, ts...
Read post
List all of your lookups
| rest splunk_server=local /servicesNS/-/-/data/transforms/lookups | fields title eai:appName type filename collection ...
Read post
Search to see number of concurrent searches
Courtesy of David Paper index=_internal earliest=-1h group=search_concurrency host=<search head glob> ("system total") | rex field=_raw mode=sed "s/system total/user=system/g" |eval user=coalesce(user,"system") | timechart max(active_hist_searches) by user ...
Read post
Splunk clustering status
1: STATUS_UP A peer showing no symptoms will be in the UP state this is the peak of health 2: STATUS_UNSTABLE If a peer shows concerning but tolerable symptoms it will be put in the UNSTABLE state. In this state the peer is still searched but we emit warnings about our symptoms on the bulletin board. Preempts all previous states. Currently symptoms that fall into this are: Clock skew between search head and peer. We get the peer's time from the timestamp on the Http Response headers during...
Read post
Data Durability Status and History
index=_internal host=indexer* OR host=cm* ((source=*splunkd.log* my guid) OR (source=*health* due_to_stanza="feature:data_searchable" color=red)) | eval type=case(match(source,"health"),"not searchable",match(source,"splunkd\.log"),"start-up") | timechart span=1m dc(sourcetype) by type Thanks to JonRust on Slack ...
Read post
Splunk dev with bump, refresh, restarts
_bump for “content files” (css/js/appserver), debug/refresh for “config changes/xml/conf” and “splunkweb restart” for persistant handlers. mod input, custom command py files are executed fresh each instantiation after the initial “pick up new things splunkd restart”. conf.spec requires restart Thanks, alacercogitatus ...
Read post
Rolling authentication failures by device over 1 minute windows
|tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication where Authentication.action="failure" by _time Authentication.dest span=1s | rename Authentication.* AS * | streamstats time_window=1m sum(count) AS dest_failures by dest ...
Read post